Use Case: Configuring Auto Policy-Based Routing

Aug 30, 2016

Auto Policy-Based Routing (APBR) automatically routes the return traffic
from the servers to the NetScaler ADC, preserving the client IP
addresses. The automatic policy based routes are defined on the
Cisco Nexus 7000 series switch.
When the return traffic from the server reaches
the Cisco Nexus 7000 series switch, the APBR policies defined on
the switch route the traffic to the NetScaler ADC, which in turn
routes the traffic to the client.

To understand the need for APBR, first consider a NAT based scenario in which a packet flows from the client to the server and from the server back to the client.

The Cisco Nexus switch receives the packet and forwards it to a server.

SRC_IP= NAT_IP; DST_IP= RS_IP

The server processes the packet and forwards it to the Cisco Nexus 7000 series switch.

SRC_IP= RS_IP IP; DST_IP= NAT_IP

The Cisco Nexus switch forwards the packet to the NetScaler ADC.

SRC_IP= RS_IP IP; DST_IP= NAT_IP

The NetScaler ADC changes the source IP address and forwards the packet to the Cisco Nexus 7000 series switch.

SRC_IP= VIP; DST_IP= Client_IP

The Cisco Nexus 7000 series switch forwards the packet to the client.

SRC_IP= VIP; DST_IP= Client_IP

The client receives the packet. However, the client IP address is not visible to the server.

Now, consider a scenario in which policy based routing (PBR) directs packet flow.

Client initiates the traffic to the virtual IP (VIP) address.

SRC_IP= Client IP; DST_IP= VIP

The Cisco Nexus switch forwards the packet to the NetScaler ADC.

SRC_IP= Client IP; DST_IP= VIP

The ADC performs destination NAT (Network Address Translation), changes the destination IP, and then sends the packet to the Cisco Nexus switch.

SRC_IP= Client IP; DST_IP= RS_IP

The Cisco Nexus switch receives the packet and forwards it to a server.

SRC_IP= Client IP; DST_IP= RS_IP

The server processes the packet and forwards it to the Cisco Nexus 7000 series switch.

SRC_IP= RS_IP IP; DST_IP= Client IP

The Cisco Nexus switch forwards the packet to the NetScaler ADC.

SRC_IP= RS_IP IP; DST_IP= Client IP

The NetScaler ADC changes the source IP address and forwards the packet to the Cisco Nexus 7000 series switch.

SRC_IP= VIP; DST_IP= Client_IP

The Cisco Nexus 7000 series switch forwards the packet to the client.

SRC_IP= VIP; DST_IP= Client_IP

The client receives the packet. The client IP address is visible to the server. However, PBR requires manual and complex configurations and is prone to errors.

To overcome these drawbacks, configure APBR rules on the RISE appliance. When APBR is configured, the packets flow as described in the following procedure:

Client initiates the traffic to the virtual IP (VIP) address.

SRC_IP= Client IP; DST_IP= VIP

The Cisco Nexus switch forwards the packet to the NetScaler ADC.

SRC_IP= Client IP; DST_IP= VIP

The ADC performs load balancing and changes the destination IP address to the appropriate server IP address and forwards the packet to the Cisco Nexus switch in an APBR message.

SRC_IP= Client IP; DST_IP= RS_IP

The Cisco Nexus switch receives the packet and forwards it to a server by using a route map.

SRC_IP= Client IP; DST_IP= RS_IP

The server processes the packet and forwards it to the Cisco Nexus 7000 series switch.

SRC_IP= RS_IP IP; DST_IP= Client_IP

When the packet reaches the Nexus switch, the switch applies the APBR rules, sets the next hop IP address to that of the NetScaler ADC, and forwards the packet to the NetScaler ADC.

SRC_IP= RS_IP IP; DST_IP= Client_IP

The NetScaler ADC changes the source IP address and forwards the packet to the Cisco Nexus 7000 series switch.

SRC_IP= VIP; DST_IP= Client_IP

The Cisco Nexus 7000 series switch forwards the packet to the client.

SRC_IP= VIP; DST_IP= Client_IP

The client receives the packet successfully.

Note: APBR rules are configured on the Cisco Nexus switch by the Citrix Netscaler appliance only if the Use Source IP (USIP) option is enabled in the services or service groups on the Citrix Netscaler appliance.

The APBR message control flow is explained below

After USIP is enabled in the services on Netscaler ADC, it publishes the IP address, port number and protocol details of the server to the Cisco Nexus 7000 series switch over the RISE control channel.

Using the IP address, port number and protocol details of the server, the Cisco Nexus 7000 series switch creates an APBR rule which consists of ACLs and route maps.

Note:

For local servers, the switch creates ACLs and route maps.

For remote servers , the switch forwards the APBR messages to other Cisco Nexus 7000 series switches.

The RISE appliance then applies the APBR rules to the switch virtual interface on the Cisco Nexus 7000 series switch connected to server.